-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Silent refresh for implicit flow #43
Comments
Excellent @marcelnem! Let's ship this in the next version as we already talked. |
Does this address the symptom where there's what appears as a temporary redirect before the page is authenticated? Each time my user refreshes an app - they temporarily see the current route change to
|
- Avoid the token update when the implicit flow is chosen. - It will perform a silent refresh as planned in issue #43.
Just for your information: |
Great to know @dasniko! Nice job! |
@mauriciovigolo any updates on this ? Refresh token not works in any kind. |
@devansvd @mauriciovigolo The new Best Practice is that the code grant with PKCE should be used instead of implicit grant for Single Page Applications. see discussion here to learn why: PKCE support for Keycloak JS adapter should be developed soon. See this PR: |
I totally see, that code grant with PKCE is more secure than the implicit flow. So I think the most secure solution at the moment would be Code grant with PKCE and token renewal with iframe silent refresh. -> I think silent refresh is still needed. |
I'm going to go ahead an see if we can get this implemented now considering |
Looks like the required method |
|
Exactly, it would have to be implemented there first in order for this to work. Although I believe if I am not mistaken that |
@marcelnem @mauriciovigolo totally agree. code with pkce is the recommended approach now a days. https://devansvd.com/oauth/#authorization-code-grant-with-pkce |
Closing this as the code grant flow is now the recommended standard and these changes will need to be made in |
It would be also nice to expand the updateToken() function to also support the implicit flow. Currently it works only with a standard flow. It is recommended to use implicit flow with public clients such as and Angular SPA. Using implicit flow prevents keeping refresh token in a public application.
Silent refresh is usually implemented by the hidden iframe trick as is done in this library (https://manfredsteyer.github.io/angular-oauth2-oidc/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token-(silent-refresh).html). Auth0 also has an implementation for this and their code is also MIT licensed. (https://auth0.github.io/auth0.js/global.html#renewAuth)
The text was updated successfully, but these errors were encountered: